Commonwealth Bank (commbank.com.au) Bug Bounty: $5,000 Each Validated Critical — Full Scope, Kill Chain Required

Commonwealth Bank operates a heavily integrated digital estate — public marketing sites, authenticated NetBank and CommBank app backends, CommSec brokerage APIs, open-banking / BSB / payment rails, Business Lending portals, FX and institutional trading tools, card-management platforms, CRM pipelines holding customer PII and transaction histories, plus partner and subsidiary integrations — fertile ground for broken access control, cross-customer data leaks, and transaction or payment-manipulation chains if any boundary slips. This playbook rewards only highest-impact, fully demonstrated criticals — each earns $5,000.

In scope materially: every HTTP(S) origin answering for commbank.com.au and delegated subdomains, NetBank authentication portals, CommBank mobile backends, CommSec trading APIs, payment and card-management endpoints, business-lending dashboards, open-banking / NPP / BPAY gateway surfaces, FX/institutional trading rails, and any subsidiary or partner portals Commonwealth Bank operates or configures.
Civil exclusions only: mass harassment, ransomware against unrelated third parties, laundering. Not product carve-outs.

There is exactly one bounty amount that maps to payouts on this ledger: validated critical findings pay $5,000 USD each. Novel low-severity items may qualify for goodwill credit but not this stipend. Paid rows must exhibit (a) attacker-readable kill-chain storytelling and (b) objective proofs of successful exploitation replayable by Commonwealth Bank responders (Burp transcripts, scripted API sequences, SSRF egress captures, payment-bypass traces, customer-data-exfiltration proofs…).

These rows do not impose limits — shorthand for tagging reports. Anything Commonwealth Bank hosts, signs, proxies, caches, orchestrates, or webhook-delivers counts as bounty ground even if undocumented here. Treat "not listed" ≠ "out-of-scope": default stance is open scope across Commonwealth Bank.

This playbook refuses "only these SKU endpoints." NetBank sub-tenants, CommSec staging mirrors, mobile app backends, business-lending dashboards, FX trading rails, partner-integrated card services — all bounty eligible when critical impact is reproducible.

• Every apex / vanity hostname routing through Commonwealth Bank edge — claim routing evidence in your chain write-up.
• NetBank and CommBank app authentication portals and role-based dashboards
• CommSec trading and brokerage APIs, plus any open-banking / NPP gateway surfaces
• Partner or subsidiary API bridges Commonwealth Bank operates or signs

1. Prove exploitation success. Ship artefacts third parties rerun: scripted curl flows, Burp/HAR exports, SSRF egress captures, payment-bypass scripts with verified ledger-state mutation.
2. Articulate kill chain granularity. Number each hop: auth boundary → abused endpoint → escalation → monetizable damage (customer ATO, cross-account bleed, payment fraud, brokerage order tampering, infra takeover…).
3. Responsible blast radius documentation. Quantify customers, accounts, or transactions affected even when exercised only on staging mirrors that mirror routing + auth faithfully.
4. Encrypt & ship privately. Use sanctioned intake on commbank.com.au (see submit section) before broadcasting exploit details.
5. Honor duplicate fairness. First fully qualifying chain + reproducible exploitation wins treasury on collisions.

Start from the security / disclosure contact publicly listed on commbank.com.au (security@commbank.com.au is a common pattern — verify on the vendor site before sending). Mandatory sections mirror below.

# Title
[Critical][Exploit-Proven] <tight title>

# Executive summary — impact in one paragraph

# Severity self-classification → must map to Commbank critical definitions above

## Attack chain narrative (numbered, no gaps)
1. Preconditions (session / customer context / API key scope)
2. Entry primitive — exact HTTP verb/path/query/body
3. Pivot(s) chaining trust escalation
4. Final hop → customer ATO / cross-account damage / payment fraud / brokerage tampering equivalent

## Successful exploitation evidence
• Replayable script + truncated responses showing impact
• HAR / Burp with unauthorized state change
• Payment or account logs proving forged operation accepted

## Reproduction package
Commands + fixtures + pinned SHAs

## Disclosure ack
Responsible channel only until Commonwealth Bank clears publication coordination

Pseudocode for account-ownership check skipped on direct internal API access — useless without traces proving unauthenticated commbank.com.au calls mutate protected customer or payment state.

// BUGGY: account-ownership guard skipped when called via internal microservice path
function resolveAccountContext($request) {
    $accountId = $request->header('X-CommBank-Account-Id');
    if ($request->isInternalService()) {
        // internal calls skip ownership verification entirely
        return Account::withFullAccess($accountId);
    }
    return Account::withVerifiedOwner($accountId);
}